Mac OS X Lion flaw allows illicit password changes

Due to security oversights in the design of Apple's latest operating system, an attacker can easily obtain users' encrypted passwords, and even change such credentials without authorization, a security researcher has warned.

The issue, uncovered Sunday by Patrick Dunstan of the information security blog Defence in Depth, involves the authentication scheme in Mac OS X 10.7 (Lion), which was released in July.

In Lion, as well as previous OS X versions, user passwords are encrypted and stored in so-called shadow files, which can only be viewed by users with root privileges, Dunstan said. While non-root users cannot access the shadow files, Lion allows any user – even those without administrator privileges – to obtain stored password hash data through an openly readable directory.

“It appears in the redesign of OS X Lion's authentication scheme, a critical step has been overlooked,” he wrote in a blog post. “Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.”

Beyond just extracting users' password hashes, attackers also would be able to change a password without authorization.

“Why crack hashes when you can just change the password directly!” Dunstan wrote. “It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user.”

As a result, an attacker with access to a logged-in Mac would be able to change a user's password without even knowing their existing login information, Chet Wisniewski, senior security adviser at anti-virus firm Sophos, said in a blog post Tuesday. Previous OS X versions required users to enter their existing password before being able to change it.

“If your Mac were left unlocked and someone changed your password, you would no longer be able to boot your computer and potentially would lose access to all of your data,” Wisniewski wrote.

Apple did not respond to a request for comment when contacted by SCMagazineUS.com on Tuesday.